U.S. soldiers are revealing sensitive and dangerous information by jogging

GPS tracking company Strava published an interactive map in Nov. 2017, showing where people have used fitness tracking devices. The map highlights American military bases overseas. (Patrick Martin/The Washington Post)

BEIRUT — An interactive map posted on the Internet that shows the whereabouts of people who use fitness devices such as Fitbit also reveals highly sensitive information about the locations and activities of soldiers at U.S. military bases, in what appears to be a major security oversight.

The Global Heat Map, published by the GPS tracking company Strava, uses satellite information to map the locations and movements of subscribers to the company’s fitness service over a two-year period, by illuminating areas of activity.

Strava says it has 27 million users around the world, including people who own widely available fitness devices such as Fitbit and Jawbone, as well as people who directly subscribe to its mobile app. The map is not live — rather, it shows a pattern of accumulated activity between 2015 and September 2017.

Most parts of the United States and Europe, where millions of people use some type of fitness tracker, show up on the map as blazes of light because there is so much activity.

A portion of the Strava Labs heat map from Kandahar Airfield in Afghanistan, made by tracking activities. (Screen shot)

In war zones and deserts in countries such as Iraq and Syria, the heat map becomes almost entirely dark — except for scattered pinpricks of activity. Zooming in on those areas brings into focus the locations and outlines of known U.S. military bases, as well as of other unknown and potentially sensitive sites — presumably because American soldiers and other personnel are using fitness trackers as they move around.

The U.S.-led coalition against the Islamic State said on Monday it is revising its guidelines on the use of all wireless and technological devices on military facilities as a result of the revelations.

The existing rules on the privacy settings to be applied to devices such as fitness trackers are being “refined” and commanders at bases are being urged to enforce existing rules governing their use, according to a statement from the Central Command press office in Kuwait.

“The rapid development of new and innovative information technologies enhances the quality of our lives but also poses potential challenges to operational security and force protection,” said the statement, which was issued in response to questions from The Washington Post.

“The Coalition is in the process of implementing refined guidance on privacy settings for wireless technologies and applications, and such technologies are forbidden at certain Coalition sites and during certain activities,” it added.

The Pentagon has encouraged the use of Fitbits among military personnel and in 2013 distributed 2,500 of them as part of a pilot program to battle obesity.

The Global Heat Map was posted online in November 2017, but the information it contains was publicized Saturday only after a 20-year-old Australian student stumbled across it.

Fitbit announced that their latest smartwatch, the Blaze, will feature a touchscreen and have several smart app capabilities including text, phone, and calendar alerts. Fitbit's product marketing manager Lindsey Cook explains why at CES. (Jhaan Elker/The Washington Post)

Nathan Ruser, who is studying international security and the Middle East, found out about the map from a mapping blog and was inspired to look more closely, he said, after a throwaway comment by his father, who observed that the map offered a snapshot of “where rich white people are” in the world.

“I wondered, does it show U.S. soldiers?” Ruser said, and he immediately zoomed in on Syria. “It sort of lit up like a Christmas tree.”

He started tweeting about his discovery, and the Internet also lit up as data analysts, military experts and former soldiers began scouring the map for evidence of activity in their areas of interest.

Adam Rawnsley, a Daily Beast journalist, noticed a lot of jogging activity on the beach near a suspected CIA base in Mogadishu, Somalia.

Another Twitter user said he had located a Patriot missile system site in Yemen.

Ben Taub, a journalist with the New Yorker, homed in on the location of U.S. Special Operations bases in the Sahel region of Africa.

The site does not identify app users and shows many locations that may be connected to aid agencies, U.N. facilities and the military bases of other nations — or any group whose personnel are likely to use fitness trackers, said Tobias Schneider, an international security analyst based in Germany.

But it is not hard, he said, to map the activity to known, or roughly known, U.S. military sites and then glean further information.

The location of most of the sites is public knowledge — such as the vast Kandahar air base in Afghanistan. The Pentagon has publicly acknowledged that U.S. Special Operations troops maintain a small outpost at Tanf in the Syrian desert near the Iraqi border, which shows up on the map as a neatly illuminated oblong, probably because U.S. soldiers wearing Fitbits or similar devices either jog around or patrol the perimeter.

But the data also offers a mine of information to anyone who wants to attack or ambush U.S. troops in or around the bases, Schneider said, including patterns of activity inside the bases. Many people wear their fitness trackers all day to measure their total step counts, and soldiers appear to be no exception, meaning the maps reveal far more than just their exercise habits.

Lines of activity extending out of bases and back may indicate patrol routes. The map of Afghanistan appears as a spider web of lines connecting bases, showing supply routes, as does northeast Syria, where the United States maintains a network of mostly unpublicized bases. Concentrations of light inside a base may indicate where troops live, eat or work, suggesting possible targets for enemies.

At a site in northern Syria near a dam, where analysts have suspected the U.S. military is building a base, the map shows a small blob of activity accompanied by an intense line along the nearby dam, suggesting that the personnel at the site jog regularly along the dam, Schneider said.

“This is a clear security threat,” he said. “You can see a pattern of life. You can see where a person who lives on a compound runs down a street to exercise. In one of the U.S. bases at Tanf, you can see people running round in circles.”

“Big OPSEC [operations security] and PERSEC [personal security] fail,” tweeted Nick Waters, a former British army officer who pinpointed the location of his former base in Afghanistan using the map. “Patrol routes, isolated patrol bases, lots of stuff that could be turned into actionable intelligence.”

By no means is all the activity discovered related to U.S. forces, Schneider said. The perimeter of the main Russian base in Syria, Hmeimim, is clearly visible — as are several routes out of the base that are presumably taken by patrols, he said.

Other Russian bases also show up, but Iranians either don’t use fitness trackers or prudently turn them off, he noted.

Strava apps and devices contain an option to turn off the data transmission service, making it more the responsibility of the user to ensure that security isn’t breached, Ruser said. “It seems like a big oversight,” he said.

Strava issued a statement overnight saying that it is “committed to working with military and government officials to address sensitive areas that might appear.” An earlier company statement had urged its subscribers to check their privacy settings and provided a link to a site that explained how to do that.